Thursday, June 15, 2006

"Reporting trumps analysis. There is too much emphasis on delivering raw numbers; not enough emphasis on presenting information in ways that allow users to understand what is going on. Put another way: success is defined as delivering accurate data filtered as the user has defined it. What if success was about delivering new insights about what’s going on in the enterprise? "

OMG, I love the quote! That is exactly what I think log management should focus on!

» How to jam your neighbor's Wi-Fi legally George Ou ZDNet.com: "While Airgo's third generation product achieves record breaking throughput, it annihilates any legacy 802.11 b/g product in the vicinity and effectively shuts them down. .. What's crazy is that these products are FCC legal and are being sold on store shelves today."

Just a comment for you Wikipedia fans that I saw on a mailing list - its funny as hell ...

"I needed a reference for a paper and couldn't find one that agreed with my definition of the problem ... So I uploaded a definition to wikipedia and the cited the wikipedia entry. Noting also that wikipedia is well respected as an authoritative reference."

"... Basically you better look like a log management vendor or you need to get into the remediation business... Given the continued focus around compliance there is a lot of running room for the log management business. For the time being, the auditors have money. The compliance budget is not long lived, but for now take the money and run."

The main insight is: if you think you are in the "protection business", you'd better protect and not just report/alert/scream/bitch/harass (or people would laugh at you!) What if your technology provides a superior capabilities to do just the above? Relax, you should be in the "audit business", there is nothin' wrong with that!

I personally am happy to see Preventsys go [down the drain of a firesale]. Over the last 2-3 years I always brought them up as the example of a deeply confused company, which itself doesn't know what it is doing. Other terms that I've heard were "solution in search of a problem that doesn't exist", "in need of adult supervision" and (sorry!) "enterprise crapware."

Seriously, I looked at their website some time ago and I was also confused on what they actually do. So, I went and talked to their engineers at a conference and - wow! - they also were confused and couldn't explai neither the technology nor their ROI model. Hmmm! I went and did it in a year - with exactly the same result.

Now, I see McAfee using the pieces of their technology in various areas to bulk up Foundstone and other solutions they have. I hope I won't see them selling it as a whole, since, in this case, the "Confusion" spell will be cast onto McAfee itself :-)

Very smart outlook on things related to monitoring comes from SecurityIncite:

"From a security point of view, monitoring is not very interesting. The idea of knowing what has happened, without really doing anything about it - strikes me as a waste of time. But that is if your job title has SECURITY in it. If you are an auditor or compliance officer, the last thing you want to do is remediate. "

Monitoring =/= protection, it never did equal that, and should not be. Monitoring is about verification, confirmation, assurance!

Monday, June 05, 2006

So this discussion on risk was ignited by Donn Parker's piece (called "Making the Case for Replacing Risk-Based Security") in "ISSA Journal", but now others have chimed in (and took sides!) I will blog more on this in the coming days, but for now, here is something to medidate on (a quote from Richard Bejtlich's blog): "As security professionals I agree we are trying to reduce risk, but trying to measure it is a waste of time."

So is this as dumb as it seems? One would think that when you reduce something you have to know that the above something became smaller which to me sounds like you need to measure it?

One possible explanation that one doesn't need to come up with an absolute value of risk, but the relative will suffice. But can we go further in our mind experiment of justifying the above seemingly silly line? Yes, we can! If you've just been compromised, you know what actions will improve security, even if you don't think of it in terms of reducing risk.

Are you using compliance to sell something expensive? If HIPAA is your favorite regulation to do that, you should check this out: CSI Blog HIPAA's Got No Bite: "According to the story, the Health and Human Services office (HHS) has not yet imposed a single fine for HIPAA violations." (as of 06/01/2006)

Thursday, June 01, 2006

Sorry for quoting almost the entire blog post, but it is a fun read for those involved with product management: “The top 12 Product Management Mistakes” by Martin Cagan, Silicon Valley Product Group: http://www.svproduct.com/papers/toppmmistakes.pdf.

Summary:

1. Confusing Customer Requirements with Product Requirements2. Confusing Innovation with Value3. Confusing Yourself with Your Customer4. Confusing the Customer with the User5. Confusing Features with Benefits6. Confusing Building Right Product with Building Product Right7. Confusing Good Product with Good Business Model8. Confusing Inspiring Features with “Nice-to-Have” Features9. Confusing Adding Features with Improving Product10. Confusing Impressive Specifications with an Impressive Product11. Confusing a Complete Product with a Sellable Product12. Confusing Product Launch with Success"

This - yeah, you guessed it! - fun report by Eric Ogden from Enterprise Strategy Group is called "Security Information Lifecycle: Data Retention of Event Logs for Compliance" Among other interesting bits, it has this point that "typically active Fortune 500 corporation [is] generating 250,000 events [or log records] per second"

Is it scary? It depends what scares you (and, of course, whether you are easily scareable :-))

* Does collecting all this data scares you? Actually, its not that scary as long as your log collection is distributed and thus does not cause any major bandwidth consumption in one network segment...* Does storing all this data scares you? Actually, its pretty benign given a great combination of log high compressibility with cheap disk drives (even when sizes hit terabytes). Yes, we are talking about storing all this data on a disk, not tape (it will be clear why in the next item!)* Does accessing all this data scares you? Aah, we hit a good one. Some of the solutions that claim to support the above rate only support it for collection+storage (which as the easy - or easier - ones), and if you want to actually access the data - its another story. It might involve a bit of waiting...* Does making sense of all this data scares you? Well, this one is a bummer as well- it is pretty scary. But, it opens a whole universe of log analysis, which justified a later post... One thing I would like to note is that making sense of data should be more automated than in most current solutions: the less time the user spends thinking the better (after a lot of thinking was done by the software developers and log analysis researchers...)

About Me

He is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior", "PCI Compliance", "Logging and Log Management" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management, honeypots, etc . His blog securitywarrior.org was one of the most popular in the industry.

In addition, Anton teaches classes (including his own SANS class on log management) and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He worked on emerging security standards and served on the advisory boards of several security start-ups.

Before joining Gartner in 2011, Anton was running his own security consulting practice www.securitywarriorconsulting.com, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.